Scenario:

1. How do I securely login?

2. How do I protect my account?


Multi-Factor Authorization (MFA) is an account security enhancement to Gradelink that, when active, requires Users to input a unique code sent to the email address associated with their Gradelink account prior to logging into Gradelink. When the feature is enabled, Users will not be able to login with only their School ID, Username, and Password. By linking a Gradelink User's Gradelink account to an email address the User has access to, Users will feel more secure in the knowledge that it would be extremely difficult for someone to access their Gradelink account unauthorized.

On the Login page, after a User enters valid User credentials (School ID, Username, Password; all three must be present) and clicks "Log In", they should be taken to the MFA page. The User should still be taken to the MFA page even if they use Google Single Sign-On instead of manually entering their credentials.

On the MFA page, if the User has an email address associated with their account and corresponding MFA Setting is enabled, a display text will indicate to which email the User's token has been sent. The email address will be "masked" by replacing all but the first characters before and after the @ symbol with asterisks.
 


The email should look like the following example:

 


  • The "Sender" name should be "Gradelink OTP"
  • The "Sender" email should be "OTP@gradelink.com"
  • The Subject Line should be "Gradelink One-Time Passcode"
  • The "Passcode Expiration" value should be dynamic and reflect the corresponding value in the Security Settings page (see below)

Back on the MFA page, if the User enters an incorrect or expired Passcode, they will be prompted to try again.  The will see different error messages depending on what they enter into the Passcode field:
 


If the User enters the wrong Passcode 5 or more times, their account will be locked as a security precaution.

If the User needs a new Passcode to be generated, they will click on a link below the Passcode field. This will automatically trigger another email to be sent. If the previous Passcode is still valid, then the new email will contain the same Passcode. Otherwise, a new Passcode should be generated.

If the User enters the correct valid Passcode and clicks "Submit", they should be logged into Gradelink.

Gradelink Administrators will be able to manage various settings related to MFA via the Security Settings page found in the Settings tab.
 
 

 

The "Reset MFA" setting will control how long Authentication is valid before the User will be asked to complete the process again.  This menu will have options ranging from 0 to 30 days.  If "0" is selected, the User will be prompted to complete the MFA process every time they login to Gradelink even if they've already completed MFA earlier that same day.
 

The final setting will control how long the One-Time Passcodes stay valid before the User will need to generate a new one.  This menu will have options ranging from 5 minutes to 15 minutes.  These values are significantly smaller than the values in the previous menu as a security precaution.